We have to look at different approaches. CSIS, the RCMP and even federal agencies won’t be able to fix everything. As you said, a lot of the infrastructure that could be considered critical and that is the most vulnerable is at a relatively low level, where there can be fewer resources and less expertise for cybersecurity.
There are different cases, particularly in the US, where foreign state‑sponsored hackers targeted municipal or state infrastructure, expecting them to be less protected at that level. There are therefore various approaches and levels to consider.
I believe Ms. Csenkey talked earlier about making it mandatory for organizations that manage critical infrastructure to report cyber incidents. I believe the US just did this, or is about to. It’s a best practice, and I think we should be doing that as well.